Yes, There Are Other Laws That Protect Privacy, But FCC's Rules Were Still Helpful

from the setting-the-record-straight dept

There's been a lot of hype and confusion about Congress's decision (supported by the new FCC) to kill off the broadband privacy rules that were put in place late last year by the Tom Wheeler FCC, though they had not yet been officially implemented. As we noted, it's an unfortunate exaggeration (pushed by some well meaning folks) to say that ISPs will now be packaging up and selling individuals' specific browsing history. That's just not true. Some people responded to us by noting that just because that's not how the ad market works today, it doesn't mean that won't change. But... that's probably not the case. Don't get me wrong: getting rid of these privacy rules is still a really bad idea, but let's look a little deeper at what ISPs can't do, before we explain why those privacy rules are still important.

First off, as we noted, the market for internet data is not in sharing some sort of dossier on what you like, but rather connecting into a marketplace, where the information is shared for the purpose of displaying ads, but not in a way where your actual info goes to the advertiser. That is, when you, say, go shopping for a camera, and then start seeing ads for cameras everywhere, it's not that the camera makers now know that you, Joe Schmoe, like cameras. Instead, what happens is that some company took that info (Joe Schmoe is shopping for cameras) and that gets put into a marketplace where some real time bidding happens for ad placement, such that when Joe Schmoe visits another site, there's a near instantaneous call out for who will pay the most for the ad slot, and with that info is, effectively, this otherwise anonymous person was just looking at cameras, and the camera company will say "I'll pay an extra $0.0002 for that ad compared to the TV maker" and thus the camera ad gets shown. The camera maker or retailer never knows its Joe Schmoe, and doesn't somehow "know" anything more about Joe.

But... but... but... people say. There are data brokers out there who do sell more personalized profiles on you. And... that's true. Many of those companies are pretty awful. But that's unrelated to any of this. And, no, the ISPs can't just turn themselves into the next big data brokers.

Even without the privacy rules, there are rules that prevent that from happening. Section 222 of the Communications Act still stops carriers from selling your info. Of course, that's part of Title II of the Telecom act, so if the FCC or Congress figure out a way to roll back Title II, there is at least some greater concern. Separately, as Orin Kerr notes at the Washington Post, certain other "surveillance" activities by service providers are limited by the Wiretap Act -- and there are some fairly stiff penalties should a broadband provider end up on the wrong side of that. Kerr (and others) have used these laws to suggest that the privacy rules repeal isn't that big of a deal. That's inaccurate.

Both of these things can be true: repealing the privacy rules does not magically create a free-for-all with your ISPs out there "selling" your browsing history to the highest bidder and the privacy rules were useful and should not have been repealed.

The issues are -- as with so many things -- a bit more nuanced than folks on either side of the debate are making them out to be. Again, part of this goes back to the way in which online advertising works and the ways in which your data is mined and used.

Broadband providers have a fairly terrible history in respecting your privacy. No, they haven't been directly selling browsing history dossiers, but they do have long histories of snooping on you in ways that were (1) totally hidden from you and (2) extremely difficult to block. Both AT&T and Verizon, for example, were caught using nearly undetectable "super cookies" to secretly track users across multiple devices and networks -- which (despite promises that they couldn't be abused) were abused by advertisers.

And this gets back to another point that I've made repeatedly over the years: privacy is not a "thing," rather privacy is about a set of trade-offs, in which individuals recognize that they give up some privacy for some benefit and then get to decide if it's worth the trade-off. The extreme example I've used in the past is that if you leave your home to go to the store to buy some milk, you are giving up a tiny bit of privacy. Someone may see you leaving your house. They may recognize you. They may see that you're buying some milk. For most people, it's easy to judge the costs and benefits of that trade-off and to decide that the minimal loss of privacy is worth it for the ability to buy the milk (some people -- such as celebrities with paparazzi followings -- may view the trade-off differently).

But the really important thing in privacy settings is making sure that two things are true for individuals: (1) that they have the information necessary to weigh the benefits and costs of the trade-offs and (2) they have some control over those trade-offs and can adjust at least some aspects of them, by having the options be more granular and controllable.

The problem with ISP snooping and the related advertising efforts is that neither of these conditions tends to be met. The snooping is done in a way that is surreptitious and not at all clear to the end user, and their ability to control how it's done, and perhaps change some of the factors involved, is basically non-existent. The FCC's rules (somewhat weakly) were put in place to change that. First, they required more transparency about what your access provider was actually doing and, second, gave the end user more control by requiring opt-ins to particularly "expensive" behavior and opt-outs to less privacy-invasive offerings.

This is what makes people -- quite reasonably -- upset. If they were given transparent understanding of what was happening, with at least some ability to control the situation, then they could decide for themselves what information is worth giving up for what services. But, instead, the internet access industry and the online ad industry apparently continue to believe that the only way they can do what they want to do is to trick people into letting themselves be spied on, and to hide the reality of the situation. This is dumb, and will do much more harm than good to the internet in the long run.

The danger here is not so much that Verizon will be selling me the websites that you visited. It's that these ISPs, which get tremendous insight into where you surf, will make use of that data in ways you don't understand and don't control, and do things that make you feel more and more uncomfortable, and less interested in using services that can and do provide tremendous benefit. That is not good for anyone. It makes people less trustful of their services, and less willing to use the internet in unique and innovative ways. If there were a truly competitive broadband market, then that situation would be limited. Verizon or AT&T's bad behavior would be limited, because people could go elsewhere. But the issue we have today, in the US especially, is that for many users, there really are no other options -- which is why those companies have been repeatedly caught doing those kinds of sketchy, privacy-invasive things in ways that its paying subscribers both are kept in the dark about and given little to no way to block.

So, no, these new privacy rules won't create new data markets of your browsing history -- and, yes, there are other laws in place that block them from doing truly egregious activity. But the lack of a competitive market, and the nature of online advertising, combined with the fairly stupid belief that people need to be tricked into giving up their info, creates a dangerous environment, one that will harm both end users and innovation. The former FCC privacy rules took a (very small) baby step towards preventing that kind of situation... and now they're dead.

Re:

I hate the FCC and want it destroyed, but you are correct.

That is exactly the mentality I get form people when I talk about it.

For many on the right the idea is... if the ISP cannot do it, then they are being unfairly treated because Yahoo & Google can do it. The fact that they are different types of businesses does not occur to them. And their solution is to destroy a partially beneficial law if it is not fully beneficial.

For many on the left, they are willing to destroy their personal liberty in a vain attempt at relief from a tyrannical business placing a monopoly over their heads.

As a person that pretty much hates both sides, all I can see are negative actors that would rather see everything destroyed if they cannot have it "their way" instead of taking what they can get.

I hate the FCC but I would much rather have the net rules that that dingo Wheeler put into place than to go without them.

Now we have Ajit, a dingo dickhead calling the shots. We upgraded from a peaceful dingo, to a menacing dingo!

This is why I want the FCC destroyed, to kill all of the rules granting these businesses government bless monopolies. Is that the end all? Shit no, there is still much work required of the entirely inept and impotent FTC.

Re: Re: Re:

His position seems to be that it's all of the other rules still in place which are giving the monopolies government blessing, and preventing other people from coming in to compete.

If I undestand matters correctly, he's said that he's in favor of anti-monopoly regulation, but against all other forms of regulation, on (I think) the grounds that all - or at least the overwhelming majority of - other forms of regulation serve to make it harder for people to come into the market and thus give those already in the market a competitive advantage.

I think that's going too far, personally, but a lot of the specific forms of regulation I think I've seen him mention in the specific market in question (spectrum licenses, pole-access rules, et cetera) do seem to have that effect. It's just that they may also have other, positive effects, which he seems to either ignore or reject out of hand as being obviously outweighed by the fact that they also represent government blessing of the market incumbent.

Re:

I haven't taken the "But they weren't in effect yet" argument to mean we're better off without them. I've seen it more as an argument against why things will suddenly be allowed to get so horribly bad. The rules weren't in effect yet and things weren't bad, therefore without the rules it won't all of a sudden become a post-apocalyptic world. Yes we'd be better off with the rules than without, but the mentality of "OMG, they killed the rules, the internet is over" is way overblown because the rules weren't even in effect yet anyway so cancelling them doesn't change anything but allow them to continue doing what they were already doing.

Gnats

" But the really important thing in privacy settings is making sure that two things are true for individuals: (1) that they have the information necessary to weigh the benefits and costs of the trade-offs and (2) they have some control over those trade-offs and can adjust at least some aspects of them, by having the options be more granular and controllable.

The problem with ISP snooping and the related advertising efforts is that neither of these conditions tends to be met. The snooping is done in a way that is surreptitious and not at all clear to the end user, and their ability to control how it's done, and perhaps change some of the factors involved, is basically non-existent. "

_______________________________

>>> 'The problem with {Government} snooping... is that neither of these conditions tends to be met. The {Government} snooping is done in a way that is surreptitious and not at all clear to the {citizens}, and {citizen} ability to control how it's done, and perhaps change some of the factors involved, is basically non-existent.

ISP snooping is totally trivial compared to American Government ubiquitous snooping. The FCC and all other Federal/State agencies are perfectly content with the government secretly archiving ALL your internet/telecommunications activity... and doing as they please with it. Fix this massive government malice --then maybe we'll get around to swatting the tiny ISP gnats.

Sure, they're limited now

It was annoying when the banner ad on my browser announced to the office that I put a new toilet in my bathroom, but I'd already bought it. What's the likelihood I'd be buying another?

And it was embarrassing when the banner ad on my browser made it look like I'd joined the Michigan Militia because I'd bought a tactical pen and a monocular for camping. Does that really indicate I might need an armored sleeve for knife fights?

As clumsy as it might be right now, the system knows plenty about me even if advertisers do not. And that information is accessible to parties unknown to me.

Truly much better if we have two federal agencies fighting over who can regulate what, allowing the tech companies to tie ANY enforcement in the courts for a decade. Then when each Circuit Court comes up with a different interpretation it goes to the Supremes and a decision is reached on tech 10 years out of date. Rinse and Repeat....

Re:

the two agencies are not fighting each other.

FTC Commissioner Terrell McSweeny believes net neutrality enforcement should be left to the FCC.

"I think it's important to have the expert regulator that understands the industry, technology, networks etc. be making decisions using its authority," McSweeny, a Democrat, told Ars. Besides having greater expertise in Internet service than the FTC, the FCC's "authority is broader than ours," she said.